ISSUES: Kent Landfield sent out a
revised deck that had some of what was discussed in the last Strategic Planning Working Group (SPWG) meeting. Started with roles that Dave Waltermire created and the SPWG has been working to expand the roles and provide additional detail. That was the real
focus of the last two meetings. There was a lot of participation in the last meeting, which is good. We found some things that were missing, so we added a terminology slide and an automation slide, which will be included in next version of the deck. Consensus
is that we are heading in the right direction.

ACTIONS: Discuss use cases for CVE ID assignment now and in the future at the next meeting.

BOARD DECISIONS:
N/A

Automation Working Group (George Theall)

ISSUES:
Discussed CNA list proposal, focused on unique identifiers for CNAs. Consensus was reached on using a universal unique identifier (for file names). We intend to update the existing
CVE JSON files to include that identifier. There was also some discussion about how to express points of contact. We are concerned with how we might pass information back and forth via forms or emails—what does it have to look like? That discussion continues.
Would be helpful to spell out what is NOT required.

Dave Waltermire: We discussed last time the possibility of being able to provide instructions to someone to stand in
as an alternate if a Board Member must be away for an extended amount of time.

Kent Landfield: Many other Boards allow a proxy (who would be an existing Board member).

TK Keanini: If we are just talking about voting, I think the proxy idea works well. It’s a different problem if we
are talking about something other than voting.

Andy
Balinsky: There are very different issues if you know what the vote issue is and can advise the proxy how to vote on your behalf or if you just tell someone to vote on your behalf for
whatever comes up.

Pascal Meunier: This may be a moot problem. We haven’t really had the need for a proxy before, have we?

Kent: There have been times where we have had close votes, and so there may be a time where a proxy will be needed.
There are 22 current Board members.

Chris C: The last vote we had was the best I’ve ever seen with regards to how quickly votes were cast and the numbers
of votes received.

Dave: If you know you’re going to be gone and there is a vote coming up, we can handle that by pre-voting. A proxy
would be needed only if it’s an unanticipated leave of absence.

TK: Plus, the proxy will be a trusted associate and most likely be able to get in touch with you before casting a vote.

ACTION: (MITRE) Add words regarding
proxy voting into the charter and send around to the Board for comments and a vote.

CVE CNA Summit Planning – Joe Sain

STATUS:

Preparations are in the final phases; working with Security Services, A/V, and Meeting Logistics staff.

The project will not be providing food; MITRE Café is close to the meeting location.

Non-US citizens are not permitted to bring personal electronic devices into the meeting.

Dave W: We need to think longer and harder about a more suitable venue where we don’t have to deal with these security
issues.

Joe Sain: We agree completely, and our wrap-up session will cover the location for future events.

Chris C: I put together some basic slides. We have some input on the discussions, but we’d like to keep each discussion
just that—discussions versus presentations. If anyone has thoughts on anything you’d like to add, please let me know.

Dave W: We can hold this at the National Cybersecurity Center of Excellence (NCCoE) next time.

ACTIONS: Chris C to send out slide
deck for review and comments.

Open Discussion

Kent L: Maybe we could have a SPWG face to face meeting to talk about roles. Perhaps we could do this on Wednesday
(after summit) for anyone wanting to stay for a deeper conversation.

Dave W: Yes, doing some whiteboarding may be a quick way to capture some of the processes and how things are working
/ how they might work with a different division of roles. Would be helpful to have Chris C and Jonathan present.

Chris: Agreed; it may be better to do this later in the evening on Tuesday. Jonathan pointed out we have the room for
both entire days and we don’t have a full day scheduled for Wednesday, so we could perhaps do this the afternoon of Wednesday.

Mark Cox: We will be submitting all future things in JSON. It’s a first test, really. If it works out, then the next
step is to do it through Apache.

Kent L: As discussed in the last SPWG meeting, we have historically used block allocation of IDs, but they require
a lot of resources for MITRE to keep track of them (40 hours a year). The reality is, with the proper services environment, we may be able to do this in a much more automated way. Allow CNAs, through a trusted mechanism, to retrieve the number of CVE IDs they
need when they need them. A byproduct with be centralization, which is both a positive and a negative. The question is, we need to think of taking humans out of the process where they don’t need to be in the process (automate). We can put the real work that
requires the human in the right place.

Kurt: If we do the automation, would it be only root CNAs? That kind of decision would have to be made.

Chris: We’ve talked about federation and you as a root get a block that you re-assign down the line, but if we went
to automation and you could get IDs on demand, would it even go to the roots first, or could anybody go to the service and request IDs as they need them?

Kurt: Can we do a hybrid model?

Dave W: The payoff for something like this is when we start to implement a more robust reporting system as part of
the ID allocation and the business processes around it. Technically, you’re supposed to collect statistics around what your CNAs are doing and provide that back, which is an additional workload that you’re taking on currently.

Kent: We could discuss this more at the SPWG face to face after the summit.

Summary of Action Items

MITRE to draft words for charter to support proxy voting

Chris will send out draft slides for the summit

SPWG to discuss use cases for CVE ID assignment now and in the future

Let Summit attendees know that we will be having the SPWG face to face meeting after the summit on Wednesday afternoon